Joined February 2025
- Tweets 618
- Following 31
- Followers 71
- Likes 433
83 Photos and videos
Pinned Tweet
May 15
3kg bundle of joy, in my home!
This is @Google @GeminiApp congratulating me after helping navigate a VBAC -related decision situation safely.
Proud father here #Web3Security fam.
Rejoice with us, @8x8 @basecamp @Hacker0x01 @cosmoslabs_io @immunefi
#42x42 Y'all forces 4 good.
3
5
852
Jun 15
CVSS Score: 10.0! WTF!
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H
I have literally taken over this whole banking system.
I hold them in the palm of my hands. It feels good to be whitehat.
#bugbounty #securityreseaech
Dear project, make it worth it.
I'm the new CEO.
1
2
43
Jun 15
1
25
Jun 15
π₯ CALLING ON @Hacker0x01 ! - A SILENT FIX CASE.
Jan 21: Reported a HIGH sev bug to program, triaged by/via H1.
Jan 26: Program confirms it's "legitimate bug, warrants fixing", then marks it Informative for irrelevant reasons.
My technical rebuttal: ignored.
Jan 30: Requested H1 mediation. 5 months of silence.
This week: SILENT FIX. found my exact prescribed fix silently merged April 16. No bounty, no credit, no mediation, no reply.
@Hacker0x01 its been a whole 5 months since I requested mediation on report #3519919. Not even a beep.
Instead of getting mediation, I got silent fix. Anyone home?
#bugbounty #web3security
1
52
Zer0day Sec π‘ retweeted
Jun 14
Like llm running on immutable smart contracts.
1
2
13
π¨BREAKING: The U.S government gave Anthropic 90 minutes to shut down Fable and Mythos
βAmazon AND othersβ called senior administration officials to warn about modelsβ capabilities
Then:
1:00pm: Government calls. βTake it down.β
Cites βnational security threat.β No details.
Anthropic asks what the threat is so they can fix it.
Government said NO.
5:30pm: Commerce letter arrives with export controls.
You have 90 minutesβ¦
382
576
6,119
916,809
Jun 13
REQUESTING @Hacker0x01 HELP! - SILENT FIX ISSUE.
Jan 21: Reported a HIGH sev bug to program, triaged by/via H1.
Jan 26: Program confirms it's "legitimate bug, warrants fixing", then marks it Informative for irrelevant reasons.
My technical rebuttal: ignored.
Jan 30: Requested H1 mediation. 5 months of silence.
This week: SILENT FIX. found my exact prescribed fix silently merged April 16. No bounty, no credit, no mediation, no reply.
@Hacker0x01 its been a whole 5 months since I requested mediation on report #3519919.
Instead of getting mediation, I got silent fix. Anyone home?
#bugbounty #web3security
1
43
Jun 11
Obfuscation =/= Encryption π
Remember: if we found it, reverse-engineered it, who knows who else had done same without responsible disclosure?
Just... fix it, ASAP. Our job is done here. Value added.
1
1
1
18
Jun 11
#RadiumExploit $1.3m
π¨ Raydium drained of ~$1.3M (reported by @PeckShieldAlert / Specter)
Attacker funded from KuCoin β bridged Solana to ETH β laundered 810 ETH via Tornado Cash 7 ETH to FixedFloat. Tracing the on-chain flow now. π
2
16
Zer0day Sec π‘ retweeted
Jun 8
Adversaries aren't slowing down. Are you keeping up?
β οΈ 27-second breakout times
β οΈ 89% increase in AI-enabled attacks
β οΈ 82% of intrusions are malware-free
The threat landscape has changed. Has your defense strategy?
Watch the full video: crwdstr.ke/6014B8LHu8
2
4
11
1,904
Jun 10
Contemplating how to hacker-handle a Web3 project that CHEATED me... π€ π
Suggestions needed please.
1
2
15
Zer0day Sec π‘ retweeted
Jun 10
My other concern is that we have stopped creating content. We are only consuming what AI and search engines present.
When last did we make a forumnpost? A post on Quora? A medium original article? A real solution posted on StarkOverflow?
We are now recycling and doing. Fine, but in the next 5 years, guess what happens?
We must not forget the art of publishing.
Writing. Authorship.
Its a way of protecting the future. Even in security research.
0daysec.xyz
1
3
188
Jun 10
A crit, reported in just 2 paragraphs, triaged within 2 hours and 10k awarded within 3 hours.
That's the epitome of a true hacker and zero-day hunter-killer.
You're welcome!
1
22
Jun 10
Free audit? Really? Yes. π‘
At 0daysec.xyz we offer complimentary security reviews for builders and projects across:
- Smart contracts: Solidity, Rust, Move, Vyper you name it.
- DLTs & blockchain infrastructure
- Web3 protocols & bridges
- Web2 & traditional AppSec
- APIs, backends, and full-stack applications
- Any language. Any stack.
With our iconic and never-before-seen #0dayHI, we catch what both humans and AI tools miss. Yes, real zero-days.
Early stage or live in prod, if you're building something that matters, security shouldn't be a barrier to getting started.
DMs open. Let's talk.
Learn more at 0daysec.xyz
2
46
Jun 8
For the record, I feel CHEATED by...
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract eMsg {
string public line1 = "0x466f7220746865207265636f72642c2049206665656c204348454154454420627920612062696720576562332070726f6a6563742e";
string public line2 = "0x576861742063616e2061206861636b657220646f2061626f75742069743f";
string public line3a = "0x50726f6261626c792065766572797468696e672e";
string public line3b = "0x50726f6261626c79206e6f7468696e672e";
string public line4a = "0x4861636b6572732068617665206e6f20706f7765722e";
string public line4b = "0x4861636b657273206861766520414c4c2074686520706f7765722e";
}
2
2
38
Jun 8
Parenting while hunting: an amazing combo!
Feels amazing, you should try it. π
#BOJ #Jade #BugBounty #DOAW
1
57
Jun 6
Our recent works @Zer0day_sec keep re-hammering a cold fact, the reality of which many projects are still trying to grapple with:
THE DAYS OF SECURITY BY OBSCURITY ARE OVER!
If we found it, malicious actors can find it, and could have already found it too. A dangerous thing about these "secrets" is that their exposure/impacts could be STEALTHY!!
So, dear projects, even while you're still arguing bounty, JUST F*CKIN FIX IT ALREADY!
@Hacker0x01 @immunefi @HackenProof
3
1
30
Jun 6
Or are you trying not to fix so that you won't be bound to pay a bounty?
That doesn't make sense. Does it?
And as whitehat, we are bound by strict program rules. When we find these, there is a strict limit to what we could do with them.
We dont want to break these rules.
1
12
Jun 6
If you see very dangerous gambles many high-profile projects are taking, you'd be amazed.
Thats why some exploits, info leakage, data exfils, how ever sophisticated they look from they outside, would never surprise me.
They are trivial.
A case study: One could get hacked anytime using a hardcoded secret that looked benign on the surface, the secret was just used for nothing meaningful. And in their program details, they shot themselves in the foot by classifying such weaknesses as OOS.
What they obscured, or o they thought, was the fact that same data combined with some other data were called at runtime for critical cryptographic calls. We saw this, yet, they claim its OOS. Tracing that call required either advanced tooling or insider info.
As we speak, secret is still live. Not rotated.
This is disappointing.
1
30
Jun 6
You should be grateful we found it first.l, or at least showed you it could be found.
But wait, were we really the first to find it?
Only time will tell, if you ever declared all your exploits.
FIX IT.
7